Apparently, Microsoft Edge has had a secret whitelist that allows Facebook to run Adobe Flash code without users’ knowledge. As noted in a report by ZDNet, the secret whitelist contains Facebook Flash content that supersedes Edge security features, including its “click2play” policy, that usually prevents websites from running Flash without prior user approval.
Before February 2019, this secret whitelist contained 58 entries, including domains and subdomains for Microsoft’s MSN portal, Deezer, Yahoo, and Chinese social network QQ. Microsoft narrowed down the list to two Facebook domains after the vulnerability was discovered by a Google Project Zero security researcher, Ivan Fratric.
Fratric discovered the flaws in Edge’s secret Flash whitelist mechanism and described what he found:
- An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
- There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains.
- The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
In November 2018, Fratric filed a bug report with Microsoft. In response, Microsoft delivered a fix for this issue this past Patch Tuesday. Before the patch, Edge would allow Facebook to execute any Flash widget that has a dimension over 398×298 pixels and is hosted on either the https://www.facebook.com or https://apps.facebook.com domains. The reason for the possible security flaw is that Facebook is on Microsoft Edge’s whitelist to support Facebook’s massive catalog of legacy Flash games.
When dealing with any other Flash widget, Edge defaults to its click2play policy and requests user permission to execute Flash through an address bar icon. Fratric posted the vulnerability in a post on Twitter.
The default Flash whitelist in Edge (https://t.co/JxStUIxByE) really surprised me. So many sites for which I'm completely baffled as to why they're there. Like a site of a hairdresser in Spain(https://t.co/50xdJvzksA)?! I wonder how the list was formed. And if MSRC knew about it.
— Ivan Fratric (@ifsecure) February 19, 2019
Microsoft commented on ZDNet’s story, adding: “We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan.” Adobe and big-name browsers, including Chrome, are ceasing support for Flash by the end of 2020. Meanwhile, Microsoft recently announced plans to change Edge from using its proprietary EdgeHTML to Google’s Chromium.